Researchers Discover 14,000 Routers Wrangled Into Never-Before-Seen Botnet (arstechnica.com)
- Reference: 0180955468
- News link: https://it.slashdot.org/story/26/03/11/2140227/researchers-discover-14000-routers-wrangled-into-never-before-seen-botnet
- Source link: https://arstechnica.com/security/2026/03/14000-routers-are-infected-by-malware-thats-highly-resistant-to-takedowns/
> Researchers say they have [1]uncovered a takedown-resistant botnet of 14,000 routers and other network devices -- primarily made by Asus -- that have been conscripted into a proxy network that anonymously carries traffic used for cybercrime. The malware -- dubbed KadNap -- takes hold by exploiting vulnerabilities that have gone unpatched by their owners, Chris Formosa, a researcher at security firm Lumen's Black Lotus Labs, told Ars. The high concentration of Asus routers is likely due to botnet operators acquiring a reliable exploit for vulnerabilities affecting those models. He said it's unlikely that the attackers are using any zero-days in the operation.
>
> The number of infected routers averages about 14,000 per day, up from 10,000 last August, when Black Lotus [2]discovered the botnet. Compromised devices are overwhelmingly located in the US, with smaller populations in Taiwan, Hong Kong, and Russia. One of the most salient features of KadNap is a sophisticated peer-to-peer design based on [3]Kademlia (PDF), a network structure that uses distributed hash tables to conceal the IP addresses of command-and-control servers. The design makes the botnet resistant to detection and takedowns through traditional methods.
>
> [...] Despite the resistance to normal takedown methods, Black Lotus says it has devised a means to block all network traffic to or from the control infrastructure." The lab is also distributing the indicators of compromise to public feeds to help other parties block access. [...] People who are concerned their devices are infected can check [4]this page for IP addresses and a file hash found in device logs. To disinfect devices, they must be factory reset. Because KadNap stores a shell script that runs when an infected router reboots, simply restarting the device will result in it being compromised all over again. Device owners should also ensure all available firmware updates have been installed, that administrative passwords are strong, and that remote access has been disabled unless needed.
[1] https://arstechnica.com/security/2026/03/14000-routers-are-infected-by-malware-thats-highly-resistant-to-takedowns/
[2] https://blog.lumen.com/silence-of-the-hops-the-kadnap-botnet/
[3] https://pdos.csail.mit.edu/~petar/papers/maymounkov-kademlia-lncs.pdf
[4] https://github.com/blacklotuslabs/IOCs/blob/main/KadNap_IOCs.txt
I hate to be that guy but... (Score:3)
... OpenWRT. That is all.
Re: (Score:2)
What ever happened to that project that was announced here on Slashdot a while back where someone was gonna try to make a fully open-source-hardware, OpenWRT-compatible wifi router device? Did that ever manage to get off the ground?
A worthy adversary! (Score:2)
> One of the most salient features of KadNap is a sophisticated peer-to-peer design based on Kademlia (PDF), a network structure that uses distributed hash tables to conceal the IP addresses of command-and-control servers.
For the unaware, distributed hash tables (DHT) are regularly used for file-sharing applications, not the distribute files but to find other computers that are sharing files. The downside of DHT is that it's "slow" meaning it can take several minutes for a message to permeate the network.
Far too often, it seems like cyber criminals are too dumb to be effective because you almost never hear about P2P infrastructure when it comes to botnets. They just keep putting up obvious C&C points that just get taken
Pledge fealty to your favorite warlord (Score:2)
Beginning to think that, if you are a normie[1], affirmatively picking your malware might be the way to go. You're going to get pwned, so you may as well pick one that will defend your gateway from other gangs and hopefully not be too awful.
Maybe someday we'll seeing APTs advertising for vassals and competing on terms.
[1] As in, you don't run snort at home or monitor CVE feeds